Spotting Suspicious Behavior with Osquery: A Comprehensive Guide

Blog Author
Guillaume Ross

Last week, Malwarebytes posted an article highlighting new malware discovered by John Lambert (Microsoft), Patrick Wardle (Objective-See and Digita Security) and Adam Thomas (Malwarebytes), and sure enough, persistence using launchd is still a common thing.


MacOS uses launchd to initialize processes and services on startup and on user login. These are called launch daemons and agents respectively, though functionally they are quite similar.


Since malware often needs to persist on systems, launchd is an obvious way to ensure required persistence. Additionally, since macOS malware is often quite basic compared to Windows malware (probably due to the fact that very few users run security software on Mac compared to Windows) more advanced methods are not always needed for malware to take hold.


In fact, this is used so often that roughly 2/3rds of the osquery osx-attacks.conf pack is made of queries looking for malicious launch items. Many of those launch items try to look like system items by using names that are similar to Apple, Flash, or common applications and browsers.


You can easily see the items that will run on your systems by using a query on the launchd table in osquery, and you can join it to other tables like the signature table, to know if they are signed with a legitimate certificate or not.

Almost every time malware is discovered for Mac, malicious launch items are involved. This makes monitoring your systems for suspicious launch items is a very time and cost effective practice for catching malware. It is especially effective because there is no dependence on signatures or definitions, so the same process works for finding old and new malware. Detecting suspicious behaviors pays off more than identifying very specific file signatures in the long run.


What is Osquery Used For?

Osquery enables access to a myriad of information regarding the state of a machine or infastructure, and for security teams allows the querying of endpoints to detect, investigate, and proactively hunt for threats. Queries might include information related to running processes, kernel modules loaded, active user accounts, active network connections, among others. Osquery's design also allows for an efficient crafting of system queries using SQL statements, making it easy to use by security engineers already familiar with SQL. Used to troubleshoot performance and operational issues, the flexibility within Osquery affords a variety of uses, and insight into a variety of use cases. 


To read more about Cloud Security and Best Practices, check out our Cloud Security and Fundamentals eBook


Osquery Examples

An example of a query and issue that could be solved for is if it's suspected that a malicious program is running on a system, processes can be queried by name and even more granularly - by how many file names it has open.


Who Invented Osquery?

Looking to maintain insight into low-level behavior of operating systems through interactive query consoles, large-scale host monitoring, native packages and extensive documentation, cross platform capabilities, and a modular codebase, the Osquery framework was created by Facebook.


With osquery, you can easily create precise queries to find suspicious launch daemons:

select * FROM signature s JOIN launchd d ON d.program_arguments = s.path WHERE signed=0 AND d.run_at_load=1;

This query returns launchd programs that run at boot and are not signed.

That’s a good place to start and refine until you establish a baseline, and only have to worry about the recently added launch agents and daemons!

Happy hunting.

Related osquery resources:


To read more about Cloud Security and Best Practices, check out our Cloud Security and Fundamentals eBook

cloud fundamentals ebook cta image